> ## Documentation Index
> Fetch the complete documentation index at: https://docs.goantiai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy Denials

> Step-by-step guide to finding out why a token request was denied.

## Step 1 — Find the denial in the audit log

Go to **Audit Log** and filter by event type `oauth.token_denied` and outcome `failure`. Click the event to see the full details including the exact input that was evaluated.

## Step 2 — Use the What-If Tester

Go to **Policies → \[your policy] → What-If** and enter the same request:

```
Agent ID: [your agent's ID]
Action:   [the scope that was denied]
Resource: [the resource being accessed]
```

The result shows the exact rule and line number that made the decision.

## Step 3 — Fix the policy

Update the policy in the editor. Use **Shadow Mode** to test the fix in production before activating:

1. Update the policy with Shadow Mode on
2. Monitor the audit log for 24 hours
3. Click **Activate** when confident

## Common denial reasons

| Reason                | Fix                                                                     |
| --------------------- | ----------------------------------------------------------------------- |
| No policy assigned    | Go to agent Settings → Policies and assign one                          |
| Wrong scope format    | Use lowercase colon-separated: `stripe:customer:read`                   |
| Agent is suspended    | Check the agent's status badge                                          |
| Policy in shadow mode | Shadow mode evaluates but doesn't enforce — activate it                 |
| Rego syntax error     | A policy with a syntax error defaults to deny — use Preview to validate |
